How to apply killswitch to devices on VPN Policy "Based on the Client Device"?


I’m currently using the VPN Policy Based on the Client Device to send some traffic through the VPN and some through ordinary ISP routing. However if I turn the VPN off, those devices set to go through the VPN fallback to the ISP.

I would like to make it so that if the VPN fails, the devices set to use the VPN under that policy don’t fallback to the ISP connection, but rather just lose connectivity until I restore the VPN. Meanwhile my non-policied devices have connectivity either way.

I’m thinking this would be some sort of custom routing rule but I don’t know where the router is writing all the policy rules; I Putty’d into the router and didn’t see anything in /etc/config/network, /etc/config/firewall, or iptables -L that references the MACs I specified. uci show pbr doesn’t return anything so the router must be storing this info elsewhere.

Any ideas on how I could build a killswitch for my devices connecting via VPN under the VPN Policy “Based on the Client Device”?

That’s not a good test. For testing, you should kill the VPN by for example changing the credentials on server side. If you disable VPN by yourself, other things will happen than if it was killed.

PBR isn’t used.

Further information: [Bug][Feature Request] VPN Policies: Inability to Strictly Enforce MAC VPN Usage with Non-VPN Clients (Kill Switch)

1 Like

Oh by “turn the VPN off” I mean I disabled the client in VPN Dashboard/VPN Client using the toggle.


# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

# 2023-07-12-0620:
# iptables -I FORWARD -m mac --mac-source 66:2D:BF:64:EA:62 ! -o wgclient -j DROP

Be sure to add that file to /etc/sysupgrade.conf or you’ll lose it when you flash new.

Slate AX (GL-AXT1800), firmware 4.4.6-release1

1 Like

Has anyone tried this on 4.5.0?

seems to work on 4.5.0 GL-AX1800 . Hope this becomes integrated in the UI soon.

for anyone else searching, firewall.user is in /etc/firewall.user (not /etc/config dir). You can also modify the file via luci UI

And if you want to remove the rule you can just replace -I with -D, everything else the same.